Policy —

Lawsuit targets advertiser over sneaky HTML5 pseudo-cookies

A New York-based mobile-web advertising company was hit Wednesday with a proposed class action lawsuit over its use of an HTML5 trick to track iPhone and iPad users across a number of websites, in what is believed to be the first privacy lawsuit of its kind in the mobile space.

The company, Ringleader Digital, uses HTML5's client-side database storage capability as a substitute for the traditional cookie tracking employed by all major online ad companies. Mobile Safari users visiting sites with Ringleader ads are assigned a globally unique ID number which is stored by the browser, and recalled by Ringleader whenever they revisit.

But the tracker, labeled RLDGUID, does not go away when one clears cookies from the browser. Ars Technica reported last week that users savvy enough to find and delete the database have found it returning mysteriously with the same ID number as before—a result the lawyers suing Ringleader say they've reproduced.

"You can't get rid of that database," says Majed Nachawati, a Dallas attorney behind the Ringleader lawsuit. "You're left with this database tracking you and your phone and your viewing habits on the net, which is a violation of federal privacy laws."

The lawsuit lodged Wednesday in Los Angeles federal court also names as defendants a number of companies who'd allegedly been serving the Ringleader trackers on the mobile versions of their sites: Surfline, WhitePages.com, The Travel Channel, CNN Money, Go2 and Merriam-Webster's dictionary site.

The lawsuit comes in the wake of a similar suit filed in July against MTV, ESPN, MySpace, Hulu, ABC, NBC and Scribd for using storage in Adobe's Flash player to recreate cookies deleted by users of non-mobile devices, allegedly in violation of federal computer intrusion law.

In Threat Level's testing on Thursday, the RLDGUID uncookie was still being served from the Travel Channel, Go2 and Merriam-Webster, but not the other sites named in the lawsuit. In our tests, the database entry did not reappear. It's not known if Ringleader has changed its system's behavior. The company did not return repeated phone calls Thursday.

HTML5's database storage is a highly touted feature designed to allow websites to locally store data on the user's computer—a boon for offline use of a browser app.

The Ringleader site provides an opt-out action that can be implemented by pointing your mobile phone's browser to a special page on its website referenced in its privacy policy. How anybody would know that is unclear, since the sites in Ringleaders networks do not inform consumers of that fact, according to the lawsuit.

"Please note that opting out does not stop advertisements from being served to your mobile device, rather, it prevents us from associating non-personally identifiable data with your device's browser starting from the time you implement the opt out utility," reads Ringleader's opt-out page. "It does not affect data collected prior to that time."

"To the extent that the plaintiffs are alleging that Ringleader violated any laws relating to consumers' privacy, Ringleader intends to defend its practices vigorously," Bob Walczak, CEO of Ringleader Digital, said in an e-mail.

It clears the cookies. Did you miss the part where they actually explain that this is NOT cookie.

"The company, Ringleader Digital, uses HTML5's client-side database storage capability as a substitute for the traditional cookie tracking employed by all major online ad companies. Mobile Safari users visiting sites with Ringleader ads are assigned a globally unique ID number which is stored by the browser, and recalled by Ringleader whenever they revisit."

Just to play devil's advocate for a moment, isn't it Safari's fault that clearing cookies doesn't actually clear all the cookies?

I don't think you read the entire article.

This Media Stamp is purposely bypassing the normal cookie based tracking method and using a unique ID that stored in the browser's HTML5 database, so that even if you disabled/removed all the cookies, the company would still be able to track you and your device.

Well I think privacy is dead. If we are so against people having our information. Why are we on sites like Facebook, Twitter and so on? Get real, you can't pick and choose. Its just not going to happen. If you don't like it. Then put that computer or mobile device on ebay and start writing letters.

Well I think privacy is dead. If we are so against people having our information. Why are we on sites like Facebook, Twitter and so on? Get real, you can't pick and choose. Its just not going to happen. If you don't like it. Then put that computer or mobile device on ebay and start writing letters.

Um... the whole point of local storage is to store data that is unique to the user. It is a more powerful replacement for cookies. The fact that there's no obvious way to clear the data is the browser vendors' fault.

Quote:

HTML5's database storage is a highly touted feature designed to allow websites to locally store data on the user's computer—a boon for offline use of a browser app.

Misleading at best - this is only one use case for local storage. The fact that there is a session storage object in addition to the local storage object suggests that the spec designers intended the local storage to be used for longer-term persistence.

Um... the whole point of local storage is to store data that is unique to the user. It is a more powerful replacement for cookies. The fact that there's no obvious way to clear the data is the browser vendors' fault.

Sure. Because it's there, we might as well use it, right? And not let people know, and offer them no solid and easy way of not being tracked. And if people DO find it and somehow get rid of it, just recreate it against their wishes. Sounds great.

There is taking advantage of technology, and then there is making bad choices.

Well I think privacy is dead. If we are so against people having our information. Why are we on sites like Facebook, Twitter and so on? Get real, you can't pick and choose. Its just not going to happen. If you don't like it. Then put that computer or mobile device on ebay and start writing letters.

I don't use Twitter, Facebook, and so on. I don't want to give up that level of my privacy. I'm not going to agree to any ad group tracking me. I'm not going to accept the terms of their agreement which I have no part in. You can live in your no privacy world; I would rather live in my world with my privacy intact.

Well I think privacy is dead. If we are so against people having our information. Why are we on sites like Facebook, Twitter and so on? Get real, you can't pick and choose. Its just not going to happen. If you don't like it. Then put that computer or mobile device on ebay and start writing letters.

I'm on fb, twitter, flicker, etc -my avatar 'name' and picture appears on this site from time-to-time. If you know me and I know you, I'll tell you personally and if you dis me well...

Sounds like HTML5-enabled browsers should have a security option to grant or deny access to on-disk storage.. Then when you go look up a word at mirriam-webster, it would pop up a warning and you could, reasonably questioning why m-w needed to access your hard disk, deny the crypto-cookie.

Um... the whole point of local storage is to store data that is unique to the user. It is a more powerful replacement for cookies. The fact that there's no obvious way to clear the data is the browser vendors' fault.

Very good point.

However, it should be observed that none of the browsers that currently support html5 data storage -- including Safari, Firefox, Chrome, and Opera -- also has a utility for the user to manage such databases. IOW, this is not unique to mobile Safari users, as the article seems to suggest, they just happened to be the target of this particular attack.

Um... the whole point of local storage is to store data that is unique to the user. It is a more powerful replacement for cookies. The fact that there's no obvious way to clear the data is the browser vendors' fault.

Very good point.

However, it should be observed that none of the browsers that currently support html5 data storage -- including Safari, Firefox, Chrome, and Opera -- also has a utility for the user to manage such databases. IOW, this is not unique to mobile Safari users, as the article seems to suggest, they just happened to be the target of this particular attack.

What?

Safari:Preferences/Security. There's a 'database storage' section. Show Databases does... well... and you can specify limits on local database storage before Safari starts getting angry.

Mobile Safari:iPhone preference pane/Safari/Databases. View each database, and can remove them individually.

Well I think privacy is dead. If we are so against people having our information. Why are we on sites like Facebook, Twitter and so on? Get real, you can't pick and choose. Its just not going to happen. If you don't like it. Then put that computer or mobile device on ebay and start writing letters.

What a piece of crap! How in the world does my activities, on closed sites where I have to allow people to see my data and activities, has to do with AD AGENCIES collecting data, without my knowledge, behind my back, todo with this?????And then they even come up with ways of making totally foul of me if I find out and want to disable it? GIVE ME A BREAK!

Um... the whole point of local storage is to store data that is unique to the user. It is a more powerful replacement for cookies. The fact that there's no obvious way to clear the data is the browser vendors' fault.

Very good point.

However, it should be observed that none of the browsers that currently support html5 data storage -- including Safari, Firefox, Chrome, and Opera -- also has a utility for the user to manage such databases. IOW, this is not unique to mobile Safari users, as the article seems to suggest, they just happened to be the target of this particular attack.

What?

Safari:Preferences/Security. There's a 'database storage' section. Show Databases does... well... and you can specify limits on local database storage before Safari starts getting angry.

Mobile Safari:iPhone preference pane/Safari/Databases. View each database, and can remove them individually.

Just to play devil's advocate for a moment, isn't it Safari's fault that clearing cookies doesn't actually clear all the cookies?

I agree. Except that you should replace cookies with other type of offline data storage.But that is in essence just semantics. So what, that in the past you were rid of them when you clicked the 'delete cookies'? That's cookies only and might have worked at one point in the past. Then came flash cookie [well, not on iOS :-)], now comes html5 offline storage. Might as well come something else in the future.

Simplified, the main thing is that browsers facilitates offline-storage [regardless of the technology used] and that it does not offer a single one-click button: clear-all, or a one place to block it all.Now that more and more people seem to grasp the importance to control their own level of privacy as needed, browser vendors can't ignore the relevance of having a decent system that brings control to the user.

That being said, it does not excuse the behaviour of the ad company to try to track users as best as they can if a user would indicate he prefers otherwhise. Recreating cookies from other offline dat when the user deleted the cookies seems to go over that line and is rather violating pricacy.

But what happens e.g. when the ad agency does not recreate the cookies in the first place but posts the unique ID as a hidden form field? Can't say that the agency violates the user's wishes by recreating deleted cookies then, can't we? And that issue would not be solved by deleting cookies either.

So I come back to the point where I consider it a browser vendor's responsability to offer easy ways to manage such things, and manage them completely.

EDIT: and with manage, I do not just mean 'delete', I mean allow to create/write offline data in the first place as well.

Sounds like HTML5-enabled browsers should have a security option to grant or deny access to on-disk storage.. Then when you go look up a word at mirriam-webster, it would pop up a warning and you could, reasonably questioning why m-w needed to access your hard disk, deny the crypto-cookie.

I like this. Maybe something like an applet permission request or a plugin--especially if this is how people are going to use it. Found it on my iPhone and opted out.

JohnnyTheGeek wrote:

Well I think privacy is dead. If we are so against people having our information. Why are we on sites like Facebook, Twitter and so on? Get real, you can't pick and choose. Its just not going to happen. If you don't like it. Then put that computer or mobile device on ebay and start writing letters.

This Media Stamp is purposely bypassing the normal cookie based tracking method and using a unique ID that stored in the browser's HTML5 database

Still a problem of safari. You should be able to purge the HTML5 database in the same way as you would with cookies. Otherwise it was designed or implemented in a shitty way. Its just another form of local storage. Nobody said that it cannot be used for tracking. (And if someone says that this is not the intended usecase then he is delusional. As if this would matter)

Um... the whole point of local storage is to store data that is unique to the user. It is a more powerful replacement for cookies. The fact that there's no obvious way to clear the data is the browser vendors' fault.

Very good point.

However, it should be observed that none of the browsers that currently support html5 data storage -- including Safari, Firefox, Chrome, and Opera -- also has a utility for the user to manage such databases. IOW, this is not unique to mobile Safari users, as the article seems to suggest, they just happened to be the target of this particular attack.

Safari:Preferences/Security. There's a 'database storage' section. Show Databases does... well... and you can specify limits on local database storage before Safari starts getting angry.

Mobile Safari:iPhone preference pane/Safari/Databases. View each database, and can remove them individually.

Thank you for the correction. Yet one still can not readily examine the contents of the database as one can with cookies to make an informed decision. I was also in error concerning Opera 10 which now has a similar method to clear "persistent storage" under advanced options/preferences.

as for the ID, could they be using a combination of browser agent strings that are for the most part persistent, but unique to each iphone to create their ID? if so, that would explain why it always regenerated the same ID number.

as for the ID, could they be using a combination of browser agent strings that are for the most part persistent, but unique to each iphone to create their ID? if so, that would explain why it always regenerated the same ID number.

It is also possible they use a hidden form to collect browser history. See http://startpanic.com/ for a demonstration.

It is also possible they use a hidden form to collect browser history. See http://startpanic.com/ for a demonstration.

doesn't work in Safari5 on the Mac. It only lists startpanic.com as the site in the browser history. Firefox 3.6 on Vista listed 3 sites. Most of the sites in the history, but not all, and IE8 on Vista only listed startpanic.

also, while it could use something like that, the list wouldn't be persistant, and since the data most likely would have been changed/cleared, it couldn't generate the same ID.

The logic of this argument is flawed at best. People are upset because they cannot clear HTML5 databases by going to delete cookies. Obviously that function was never intended for that purpose...otherwise it would be labeled "clear cookies and html5 local storage databases".

Now if there is no way of manually deleting the databases then that seems to be more of a browser specific issue where you could say why hasn't Safari implemented a feature to removed said databases if they were going to support it in their browser?!

To me the blame seems to be browser related. And don't even get me started on people saying the standard is to be blamed, that's one of the most useful features being added to html5 and a god-send for web developers like myself. I will agree though that there needs to be a function in place to disallow or delete these databases at the users request though. It should ultimately be at the users discretion for sure.

An ad agency simply taking advantage of a standard browser feature is going after the wrong people all together.

Which is part of the problem of security vs. features. Features that are really useful usually end up having loopholes that allow people to do things they really shouldn't be able to. Never underestimate the creativity of humans when money is involved.

Well I think privacy is dead. If we are so against people having our information. Why are we on sites like Facebook, Twitter and so on? Get real, you can't pick and choose. Its just not going to happen. If you don't like it. Then put that computer or mobile device on ebay and start writing letters.

Um.

I'm not on Facebook. I have a Twitter account but I don't tweet, plus the account has zero personal information on me. I use adblock (but not on Ars and a few other sites).

The logic of this argument is flawed at best. People are upset because they cannot clear HTML5 databases by going to delete cookies. Obviously that function was never intended for that purpose...otherwise it would be labeled "clear cookies and html5 local storage databases".

Now if there is no way of manually deleting the databases then that seems to be more of a browser specific issue where you could say why hasn't Safari implemented a feature to removed said databases if they were going to support it in their browser?!

To me the blame seems to be browser related. And don't even get me started on people saying the standard is to be blamed, that's one of the most useful features being added to html5 and a god-send for web developers like myself. I will agree though that there needs to be a function in place to disallow or delete these databases at the users request though. It should ultimately be at the users discretion for sure.

An ad agency simply taking advantage of a standard browser feature is going after the wrong people all together.

An earlier article pointed out the problem here; see the second link in the article. First, Safari does provide a means of clearing these databases. When you do, Ringleader has set the database to simply respawn immediately upon deletion. If you opt out, the database doesn't go away; the company simply sets your unique ID to "do not track", which basically means "we're going to keep tracking you, but not really. Trust us!" If you opt out and then delete the database, then you've cleared out your unique ID, and they just assign you a new one and start tracking you again. By taking steps that should reasonably help maintain your privacy, their system makes you compromise it! There's a difference between "taking advantage of a feature," for which we could blame HTML5 and the browser, and "manipulating a technology in unscrupulous ways to take advantage of users." That I think we can blame Ringleader for.

Well I think privacy is dead. If we are so against people having our information. Why are we on sites like Facebook, Twitter and so on? Get real, you can't pick and choose. Its just not going to happen. If you don't like it. Then put that computer or mobile device on ebay and start writing letters.

NO.Companies like this are essentially invading my digital device, plucking out information they were never invited to grab, and making bunch of money off it. I'm very much hoping the lawsuit succeeds. Just like someone sneaking in my house and copying info off private documents, they are NOT permitted to do so, even if they bury what they're planning in some obscure 'privacy policy' page. This needs to change, and unfortunately this kind of legal action may be the only way.The default needs to be they can only take what I allow, specified by a clear opt-in choice. Right now, it seems like the default is they just grab whatever they possibly can, using any/every method possible to hide what's going on and obfuscate/deter the device's owner from controlling the flow of their private info.

Well I think privacy is dead. If we are so against people having our information. Why are we on sites like Facebook, Twitter and so on? Get real, you can't pick and choose. Its just not going to happen. If you don't like it. Then put that computer or mobile device on ebay and start writing letters.

Do we give a shit what you think? and stop using the word "WE" as obviously you are only representing your own opinion.

I use the word "WE" because judging from all the replies from other directed/reply to your comment.

I do not use/nor care about Facebook or Twitter, I also do not like the fact that this Sneaky AD agency tracks my habit without my consent.

Digital Privacy is no different from real world privacy. What I do, how often I do it is none your fucking business.

And this so called "Opt out" does not really opt you out. They still track you, just indirectly.

Just to play devil's advocate for a moment, isn't it Safari's fault that clearing cookies doesn't actually clear all the cookies?

I don't think you read the entire article.

This Media Stamp is purposely bypassing the normal cookie based tracking method and using a unique ID that stored in the browser's HTML5 database, so that even if you disabled/removed all the cookies, the company would still be able to track you and your device.

I don't think you read the entire article either (or it didn't quite discuss what another article did that I read yesterday): if you visited their RLDOPTOUT link, it changes your ID somewhat to indicate "opted out", but it STILL keeps that database on your machine, and it STILL tracks you - it just doesn't custom-taylor advertising to you based on your preferences. In fact, even if you delete your databases, visiting another website with their tech will re-create the database based on previous tracking info (and re-set you to NOT opted out)!

So, they're still merrily collecting your data. They're just not using it for/against you...